Panu Matilainen

7 exploits Active since Nov 2017
CVE-2017-7500 WRITEUP HIGH WRITEUP
rpm 4.13.0.0-4.13.0.1 - Improper Link Resolution Before File Access
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
CVSS 7.3
CVE-2017-7500 WRITEUP HIGH WRITEUP
rpm 4.13.0.0-4.13.0.1 - Improper Link Resolution Before File Access
It was found that rpm did not properly handle RPM installations when a destination path was a symbolic link to a directory, possibly changing ownership and permissions of an arbitrary directory, and RPM files being placed in an arbitrary destination. An attacker, with write access to a directory in which a subdirectory will be installed, could redirect that directory to an arbitrary location and gain root privilege.
CVSS 7.3
CVE-2017-7501 WRITEUP HIGH WRITEUP
RPM <4.13.0.2 - Privilege Escalation
It was found that versions of rpm before 4.13.0.2 use temporary files with predictable names when installing an RPM. An attacker with ability to write in a directory where files will be installed could create symbolic links to an arbitrary location and modify content, and possibly permissions to arbitrary files, which could be used for denial of service or possibly privilege escalation.
CVSS 7.8
CVE-2021-20271 WRITEUP HIGH WRITEUP
rpm 4.15.0-4.15.1.3 - Remote Code Execution via Modified Signature Header
A flaw was found in RPM's signature check functionality when reading a package file. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package, whose signature header was modified, to cause RPM database corruption and execute code. The highest threat from this vulnerability is to data integrity, confidentiality, and system availability.
CVSS 7.0
CVE-2021-35938 WRITEUP MEDIUM WRITEUP
rpm < 4.18.0 - Privilege Escalation via Symbolic Link Attack
A symbolic link issue was found in rpm. It occurs when rpm sets the desired permissions and credentials after installing a file. A local unprivileged user could use this flaw to exchange the original file with a symbolic link to a security-critical file and escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS 6.7
CVE-2021-35939 WRITEUP MEDIUM WRITEUP
Fix incomplete - Privilege Escalation
It was found that the fix for CVE-2017-7500 and CVE-2017-7501 was incomplete: the check was only implemented for the parent directory of the file to be created. A local unprivileged user who owns another ancestor directory could potentially use this flaw to gain root privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS 6.7
CVE-2021-3521 WRITEUP MEDIUM WRITEUP
rpm < 4.17.1 - Improper Verification of Cryptographic Signature
There is a flaw in RPM's signature functionality. OpenPGP subkeys are associated with a primary key via a "binding signature." RPM does not check the binding signature of subkeys prior to importing them. If an attacker is able to add or socially engineer another party to add a malicious subkey to a legitimate public key, RPM could wrongly trust a malicious signature. The greatest impact of this flaw is to data integrity. To exploit this flaw, an attacker must either compromise an RPM repository or convince an administrator to install an untrusted RPM or public key. It is strongly recommended to only use RPMs and public keys from trusted sources.
CVSS 4.7